#!/bin/bash

ROOT_PATH=$(cd $(dirname $0) && pwd);

DEBS="strongswan libstrongswan-extra-plugins libcharon-extra-plugins strongswan-pki strongswan-swanctl"

apt purge -y $DEBS
apt autoremove -y

apt -y install $DEBS

sudo sh -c "echo '
config setup
    cachecrls=yes
    #uniqueids=yes
	# strictcrlpolicy=yes
	uniqueids = no

conn rw-config
	dpdaction=clear
	dpddelay=35s
	dpdtimeout=300s
	fragmentation=yes
	rekey=no
	#ike=aes128-sha1-modp1024,aes128-sha1-modp2048,aes256-sha1-modp1024,aes256-sha1-modp2048
	#esp=aes128-sha1-modp1024,aes128-sha1-modp2048,aes256-sha1-modp1024,aes256-sha1-modp2048
	ike=aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024
	esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftfirewall=yes
    right=%any
    #rightsubnet=10.126.253.0/24
    #rightdns=10.126.253.1
    rightdns=%dhcp
    #rightsourceip=%config

conn ikev1-xauthpsk
    also=rw-config
    keyexchange=ikev1
    rightsourceip=%dhcp
    authby=xauthpsk
    xauth=server
    auto=add
' > /etc/ipsec.conf"


# RADIUS

sudo sed -i 's/# secret =/secret =/' /etc/strongswan.d/charon/eap-radius.conf
sudo sed -i "s/secret =.*/secret = $(cat $ROOT_PATH/cfg/radius.secret)/" /etc/strongswan.d/charon/eap-radius.conf

sudo sed -i 's/# server =/server =/' /etc/strongswan.d/charon/eap-radius.conf
sudo sed -i 's/server =.*/server = 127.0.0.1/' /etc/strongswan.d/charon/eap-radius.conf

# DHCP

sudo sed -i 's/# server =/server =/' /etc/strongswan.d/charon/dhcp.conf
sudo sed -i 's/server =.*/server = 10.126.253.1/' /etc/strongswan.d/charon/dhcp.conf

#sudo sed -i 's/# identity_lease =/identity_lease =/' /etc/strongswan.d/charon/dhcp.conf
#sudo sed -i 's/identity_lease =.*/identity_lease = yes/' /etc/strongswan.d/charon/dhcp.conf

sudo sed -i 's/# force_server_address =/force_server_address =/' /etc/strongswan.d/charon/dhcp.conf
sudo sed -i 's/force_server_address =.*/force_server_address = yes/' /etc/strongswan.d/charon/dhcp.conf

# DNS

sudo sed -i 's/# dns1 =/dns1 =/' /etc/strongswan.d/charon.conf
sudo sed -i 's/dns1 =.*/dns1 = 10.126.253.1/' /etc/strongswan.d/charon.conf


sudo sed -i 's/^[^#].*//' /etc/ipsec.secrets

sudo sh -c "echo '
%any %any : PSK \"'$(cat $ROOT_PATH/cfg/ipsec.secret)'\"
' >> /etc/ipsec.secrets"

sudo ipsec restart


### iptables ###

# Внешний интерфейс сервера
IF_EXT="eth0"

# Внутренние интерфейсы (обслуживающие ВПН-клиентов)
#IF_INT="ppp+"
#IF_INT="l2tpnstun"

# Сеть, адреса из которой будут получать ВПН-клиенты
NET_INT="10.126.253.0/24"

# Разрешаем всё для ВПН-клиентов
iptables -A INPUT -s ${NET_INT} -j ACCEPT

# Разрешаем входящие соединения к L2TP
# Но только с шифрованием!
#iptables -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT
#iptables -A INPUT -p udp -m policy --dir in --pol ipsec -m udp -j ACCEPT

# Разрешаем IPSec
iptables -A INPUT -p esp -j ACCEPT
iptables -A INPUT -p ah -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT

# NAT для локальной сети (ВПН-клиентов)
#iptables -t nat -A POSTROUTING -s ${NET_INT} -d ${NET_INT} -j MASQUERADE -o ${IF_INT}
iptables -t nat -A POSTROUTING -s ${NET_INT} -j MASQUERADE -o ${IF_EXT}
#iptables -t nat -A POSTROUTING -s 10.126.253.0/24 -j MASQUERADE -o ppp+
#iptables -A FORWARD -i ${IF_INT} -o ${IF_EXT} -s ${NET_INT} -j ACCEPT
#iptables -A FORWARD -i ${IF_INT} -j ACCEPT
#iptables -A FORWARD -i ${IF_EXT} -o ${IF_INT} -d ${NET_INT} -m state --state RELATED,ESTABLISHED -j ACCEPT

netfilter-persistent save

